The Zend Security Audit follows a comprehensive methodology developed over years of experience in analyzing Web, PHP and application vulnerabilities. The audit delivers a detailed evaluation of your PHP code for vulnerabilities, non-secure programming practices, and protection against a wide spectrum of known attack techniques. It consists of automated and manual penetration tests, attack-prone code pattern identification, and application transaction flow review.

Application Security Challenges

The average cost of a data breach increased to $7.2 M in 2010. Customer abandonment after publically exposed application data breaches is the dominant factor while reputation damages originated by security exploits take a substantial time to reverse. With a growing number of attacks and exploit methodologies, often targeting multiple functionalities and layers in a single application, it is essential for businesses to identify flaws that could lead to the exposure of sensitive information or malicious execution of undesired application behaviors. Zend's security audit provides a thorough risk assessment, based on the threat classifications defined by the Open Web Application Security Project (OWASP), to all identified coding faults and vulnerabilities. Detailed remediation recommendations are then discussed for each identified security risk.

The Zend Security Audit assesses a wide array of application vulnerabilities which include

Functional vulnerabilities

PHP Code Inclusion and PHP Code Evaluation

Shell Execution

SQL Injection and HTTP Header Injections

Cross-site Scripting (XSS) Vulnerabilities

Cross-site Request Forgeries (CSRF)

File Permission, Access Control and Installation

Session Management Analysis

Weaknesses in Session Management

Session Fixation and Session Hijacking

Usage of Secure Cookies and HTTP-only cookies

External Interfaces - Database Access, WebServices, Facebook API

Client side Vulnerabilities (Optional)

Zend Security Quick Scan

The Quick Scan is a Black-Box Test, during which Zend's security engineers imitate typical techniques used by external parties trying to attack the web application without having access or knowledge of the underlying source code or the infrastructure itself.

The resulting Quick Scan report summarizes the main vulnerabilities identified. The Quick Scan automated process is included by default as part of the more extensive Security Audit. It can be taken as a preliminary step prior to performing a complete code audit.